Skip to content

Commit

Permalink
Merge pull request #183 from caitong93/kubelet-ca
Browse files Browse the repository at this point in the history
Add kubelet-certificate-authority flag
  • Loading branch information
k8s-ci-robot authored Mar 8, 2019
2 parents 92d8412 + f724d6a commit ea4d74a
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 3 deletions.
9 changes: 8 additions & 1 deletion cmd/metrics-server/app/start.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ func NewCommandStartMetricsServer(out, errOut io.Writer, stopCh <-chan struct{})
flags.IntVar(&o.KubeletPort, "kubelet-port", o.KubeletPort, "The port to use to connect to Kubelets.")
flags.StringVar(&o.Kubeconfig, "kubeconfig", o.Kubeconfig, "The path to the kubeconfig used to connect to the Kubernetes API server and the Kubelets (defaults to in-cluster config)")
flags.StringSliceVar(&o.KubeletPreferredAddressTypes, "kubelet-preferred-address-types", o.KubeletPreferredAddressTypes, "The priority of node address types to use when determining which address to use to connect to a particular node")
flags.StringVar(&o.KubeletCAFile, "kubelet-certificate-authority", "", "Path to the CA to use to validate the Kubelet's serving certificates.")

flags.MarkDeprecated("deprecated-kubelet-completely-insecure", "This is rarely the right option, since it leaves kubelet communication completely insecure. If you encounter auth errors, make sure you've enabled token webhook auth on the Kubelet, and if you're in a test cluster with self-signed Kubelet certificates, consider using kubelet-insecure-tls instead.")

Expand Down Expand Up @@ -89,6 +90,7 @@ type MetricsServerOptions struct {
KubeletPort int
InsecureKubeletTLS bool
KubeletPreferredAddressTypes []string
KubeletCAFile string

DeprecatedCompletelyInsecureKubelet bool
}
Expand Down Expand Up @@ -171,7 +173,12 @@ func (o MetricsServerOptions) Run(stopCh <-chan struct{}) error {
informerFactory := informers.NewSharedInformerFactory(kubeClient, 0)

// set up the source manager
kubeletConfig := summary.GetKubeletConfig(clientConfig, o.KubeletPort, o.InsecureKubeletTLS, o.DeprecatedCompletelyInsecureKubelet)
kubeletRestCfg := rest.CopyConfig(clientConfig)
if len(o.KubeletCAFile) > 0 {
kubeletRestCfg.TLSClientConfig.CAFile = o.KubeletCAFile
kubeletRestCfg.TLSClientConfig.CAData = nil
}
kubeletConfig := summary.GetKubeletConfig(kubeletRestCfg, o.KubeletPort, o.InsecureKubeletTLS, o.DeprecatedCompletelyInsecureKubelet)
kubeletClient, err := summary.KubeletClientFor(kubeletConfig)
if err != nil {
return fmt.Errorf("unable to construct a client to connect to the kubelets: %v", err)
Expand Down
3 changes: 1 addition & 2 deletions pkg/sources/summary/configs.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,7 @@ import (
)

// GetKubeletConfig fetches connection config for connecting to the Kubelet.
func GetKubeletConfig(baseKubeConfig *rest.Config, port int, insecureTLS bool, completelyInsecure bool) *KubeletClientConfig {
cfg := rest.CopyConfig(baseKubeConfig)
func GetKubeletConfig(cfg *rest.Config, port int, insecureTLS bool, completelyInsecure bool) *KubeletClientConfig {
if completelyInsecure {
cfg = rest.AnonymousClientConfig(cfg) // don't use auth to avoid leaking auth details to insecure endpoints
cfg.TLSClientConfig = rest.TLSClientConfig{} // empty TLS config --> no TLS
Expand Down

0 comments on commit ea4d74a

Please sign in to comment.